Sponsored by..

Showing posts with label Latvia. Show all posts
Showing posts with label Latvia. Show all posts

Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Tuesday, 11 April 2017

Pump and dump spam: Quest Management Inc (QSMG) stock

Following on from last month's INCT pump and dump spam the Necurs botnet is now promoting a Latvian company Quest Management Inc (QSMG) instead.

From:    Jenna Goff
Date:    11 April 2017 at 13:37
Subject:    FDA approval is about to send this stock up fifty fold

Why is Quest Management (Symbol: QSMG) guaranteed to jump 5,000% this month?

They have a cure for cancer.

This biotech is run by some of the most prolific scientists in America. Together, they have more than 400 years of experience in the field and have more diplomas than we can even imagine.

Cancer kills 1 out of 4 people in our country and we have all been affected by it either directly or indirectly.

Who doesn't know someone who's died from it?

The company's scientists are targeting cancer using stem cells. They are able to identify the bad cells and destroy them without radiating the entire body (like is common with chemo).

Apart from saving millions of lives, their treatment will surely become the No1 selling drug on earth.

The company has already made serious headway thanks to nearly two decades of research.

This cutting edge biotech company has completed animal trials successfully and just wrapped up FDA-approved human trials last week.

The next step is the public announcement of those results, which we hear through the grapevine have beat all expectations and will change the world of medicine forever.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

"Quest"'s biotech arm could have a cancer cure that can be totally effective in killing tumors in more than 40% of patients worldwide available in hospitals throughout the globe by the end of the year.

Once that happens, we're talking about a $1000 a share stock.

We're literally coming in at the last mile, out of no where, and grabbing profits from their last 2 decades of hard work.

Consider buying QSMG right now while it's still at under 5 dollars and make sure to tell all your friends to do the same before the price explodes.
You can guarantee that the promise of a future big payout is a lie. For comparison, the INCT stock promoted last month crashed from 13 cents to 3 cents now and the promised buy-out of that company never happened.

But surely this is different? QSMG stock went up 60% yesterday..

Well, as you can see from the chart.. it took a sudden dive and then shot up again. It looks like someone sold 26,000 shares and maybe more (maybe at a discount last week), followed by a small purchase of just 100 shares at apparently a higher price. A casual passer-by might think that that was someone trying to manipulate the stock price.


Financials indicate that QSMG has never really done much in the way of business, and the stock price nosedived from an epic $2000 a share a year ago to less than $2 today.


Market cap is currently quoted at $119m with 70 million shares outstanding, which is a lot for a company with a turnover of a few thousand dollars a quarter. There's a 1000:1 reverse split in there from October. So a year ago, the company appears to have been valued at an even more insane amount.

Probably utterly coincidentally, an agreement was recently made for a legitimate US investment company to acquire 46 million shares of QSMG. Perhaps someone else holding QSMG stock is looking for a payday?

Anyway.. most stocks promoted by pump and dump spam crash and burn. Buying stocks based on a tip from an illegal spam run would be extremely unwise in my personal opinion.

UPDATE 1

We'll probably see several different versions of this illegal botnet-driven spam. Here is the second one..

From:    Lottie Nash
Date:    11 April 2017 at 19:31
Subject:    This biotech has developed a cure for cancer and its shares are soaring.

One of my friends at Goldman told me to buy QSMG this morning.

He is an expert at this stuff and has never let me down before. After researching the company, it seems that he may be right.

I am going to buy 5,000 shares now because it's all I can afford, but you should buy as little or as many as you possibly can...

Their biotech arm, Stemvax has developed a cure for cancer and just completed successful human trials under the FDA's supervision.

The stock has jumped 3X already since last week and is guaranteed to go to at least 20 dollars this month based on his research.

Once QSMG's official announcements for the cure become public, there's no saying how high their share price will go.

I expect some very serious stuff to be announced in the coming 2 weeks. Act quickly so you don't miss out.

UPDATE 2

Another one. Incidentally, the email address used for some of these illegal spam emails appears to have been obtained from CompareTheMarket.com. Nice.

From:    Fay Vinson
Date:    12 April 2017 at 09:19
Subject:    An imminent green light from the fda will send this drug maker soaring.

There are very few times in life when we truly get the chance to be part of something big, and profitable at the same time.

The doctors at QSMG have been working nonstop for more than 20 years to get to this moment a cure for cancer.

They completed animal trials last year which were very positive, and completed human trials just a few days ago with the fda's blessing.

The results are not out yet but according to my sources, the human trials were very successful as well and cancer cells were successfully killed in 40% of all cases.

40% might not seem like a passing grade, but it is above and beyond what everyone was expecting. This makes it the most successful cancer drug on earth, and best of all it is non-invasive.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

Want to feel like a genius? Buy QSMG right now while it's still at just 2 dollars, and wait it out 2 weeks. You will be rewarded handsomely.

UPDATE 3

Another version of this spam is attached below. This "Stemvax" company is not actually part of QSMG, but according to a press release yesterday it's an intended acquistion. I wonder how they're paying for that company? Cash? Stocks? More after this spam..

From:    Araceli Rutledge
Date:    12 April 2017 at 15:34
Subject:    This company found a cure for cancer. Their stock is flying.

This is a super rare opportunity that may never come again. This biotech company has finally found a cure for cancer after more than 20 years of stem cells and immunotherapy research.

They had very positive trials both on animals and humans (according to my sources) where tumors got killed at a rate of 41%

Their medicine is going to change the world once it gets rolled out in a few months. We are awaiting an official announcement form the company in the next couple of weeks, but it seems I am not the only one in the know because their stock has quadrupled since last week.

QSMG is guaranteed to hit 25 bucks a share overnight once they release their announcement to the public. You really need to think about buying shares right now before it shoots up higher.
So.. I was researching this whole takeover thing and also found a similar but rather promotional commentary on a site oracledispatch.com which attributes the bump in QSMG shares to the Stemvax acquisition rather than the spam run.
Quest Management Inc (OTCMKTS:QSMG) had a nice day yesterday moving higher by 15% adding some needed liquidity. The driver for this move came from a Letter of Intent to acquire immunotherapy Biotech company Stemvax, Inc., from Dr. Dwain Morris-Irvin PhD. Upon Closing, Dr. Morris-Irvin will simultaneously become CEO of the newly formed Biotech division of Quest.
 Wait a minute. Let's look at that logo on this "news" site.



 My goodness, that looks very much like the logo of the entirely unrelated Oracle Corporation.

Anyway, every stock on that mentioned on that site looks like it could be a part of a paid promotion. That's not illegal per se. Spamming out millions of emails from a botnet of hacked machines is.

UPDATE 4

Another spam.. this time it's a "friend at the FDA" rather than "One of my friends at Goldman". Yead right.

From:    Teri Dunn
Date:    13 April 2017 at 08:58
Subject:    An imminent event is sending this stock price through the roof.

What if I told you that I know of a company that has actually found a cure for cancer.

They have proven its efficacy in animal tests and have recently just completed their testing on humans.

The results of the tests on the human subjects are not out yet, we are expecting them to become public some time in the next two to three weeks,
but a friend of mine who works at the FDA told me that they are life changing.

It seems that in around forty percent of cases, tumors were successfully destroyed. This number is absolutely huge!
It means that more than a third of the people with cancer can be cured with this therapy.

This is going to change the world, and once the announcement becomes public,
it is guaranteed that their stock price will go to more than 24 to 30 bucks in a matter of hours.

This is why I highly, highly recommend that you buy QSMG as soon as you can today. Get in ahead of the herd.
UPDATE 5

Another one. Perhaps the "I have a good friend who works at the fda" part should read "I have a good friend who is going to jail for securities fraud"?

From:    Socorro Conrad
Date:    13 April 2017 at 18:48
Subject:    Here is a tip that could change your life

I have a good friend who works at the fda, and from time to time he tells me about things before they happen.

This is why I am sending you this message today. Earlier this week he told me about a
company that has found a way to kill cancer tumors in 40% of all breast and prostate cases.

While this isn't a one hundred percent method, it works good enough to save over 50 million lives a year.
The company just completed human trials a couple of weeks ago and have yet to release the results.

Once those positive results hit the public, the company's shares are going to go nuts.

QSMG is currently at under 3 bucks a share. I can guarantee that it will pass 25 to 30 before the end of the
month when those results are out.

Act quickly by getting in now and securing yourself a position ahead of the herd.
UPDATE 6

Surprisingly, the US stock markets are open on Easter Monday so yet another version of this illegal pump-and-dump spam is coming out to prime people. In this case the P&D spam has driven the stock price up.. expect a sharp drop when people realise that it is bullshit.

From:    Milagros Galloway
Date:    17 April 2017 at 09:47
Subject:    This trading idea could tenfold your portfolio this month

In case you missed my email last week, timing is getting very tight now.

You must read on to understand why you must act quickly for your benefit, and the benefit of your friends and family.

If you recall, I told you that I have a friend who works at the food and drug administration who told me about a small company that has just completed human trials for a life-saving cancer therapy.

It seems that in about forty percent in instances, cancer receded. This is an enormous number.

There is nothing else on the market at the moment that can save 40% of patients with breast or prostate cancer.

This drug does.

The small company’s stock is going to go up from 2 dollars to over 30 dollars the moment that this announcement is made public within the next two weeks.

Your window opportunity to buy shares of QSMG is quickly closing. You must act quickly before you miss out.
UPDATE 7

It looks like the bubble has burst on this P&D spam, as there is a note of desperation here..

From:    Alta Stewart
Date:    17 April 2017 at 17:15
Subject:    Do not miss on this chance to triple your money in the market

There is a rare opportunity in the market right now, so rare that it may only happen once in a lifetime.

I have it on good information that a small biotech company is about to receive approval from the f d a for a life-saving medicine.

This medicine is poised to become the next biggest seller in the world as it has just been shown to kill cancer.

This is why there has been a lot of activity surrounding the stock. People are trading it on wrong information, and it's in the red today because of that.

I highly suggest that you buy in right now while fools are getting out, and the stock is cheap because it's going to go up twenty fold in the next 2 weeks

when the public announcement comes out, and the medicine is officially approved. Move quickly though, because otherwise you will miss out.

The opportunity to buy QSMG at these discounts will not last long, and you will regret you didn't jump in when you had the chance.
Yup.. the stock has crashed and burned today. Hardly surprising..


(Even as I am writing this the stock has just crashed below the $1 barrier). Ah well, anyone fooling enough to pay over the odds for this stock has just been burned. But who is actually making money from this stock manipulation?


UPDATE 8

QSMG stock continues to crater, but it hasn't stopped the spammers trying again..

From:    Jesus Cote
Date:    18 April 2017 at 09:39
Subject:    This stock tip is for your eyes only. The chance may never come again

I know of a cutting edge company that has just completed the development of a new life saving medicine. A friend who works at a high position, at a secretive place told me about it.

This medicine has been proven in both lab tests, and human tests to destroy tumors in almost 50% of of instances.

For all practical purposes, I would call it a cure for one of the most deadly diseases of our times.

Being the type of person that I am, I asked myself how we can profit from this information.

The answer is very simple. Within the next week or two, QSMG will make the announcement public and once they do, their stock will go up to over 20 bucks overnight.

So the trick is to grab shares right now, while their price is still dirt cheap and while nobody knows what's about to come.

This is how you get your big break. This is how your life will finally change. Take the leap forward.


---
Best Regards,
Jesus Cote

Yesterday it dropped 73%. It will be interesting to see if it continues its race to the bottom today.

UPDATE 9

After a few days off, the pump and dump spammers are trying again at the share price sticks at 72 cents. It says "This is probably the last time that I will contact you  with this information".. we can only hope. Perhaps coincidentally, QSMG announced they are in negotiations to buy another company.

From:    Arlene Sanders
Date:    24 April 2017 at 09:27
Subject:    This time sensitive information could make you very wealthy

If you missed my heads up over this last week and a half, this is finally your time to act because in just 48 hours something big is going to happen.

This is probably the last time that I will contact you  with this information.

My friend at goldman gave me a call over the weekend and told me that the big acquisition we’ve been waiting for is going to occur on Wednesday. The day after tomorrow.

Pfizer is going to complete the purchase of QSMG (a small, public company) at a price of 23.79 dollars a share. For those of you doing the math out there, that's approximately 30 times higher than where the stock is at now.

If you're wondering why it's happening at such a high price, that’s because these guys just completed human trials on a cancer drug which has proved to be effective in around 40% of cases, and big pharma wants this for itself.

I suspect that I am not the only one who might have heard of this news so the stock may start climbing today and tomorrow before the big announcement becomes public on Wednesday evening.

This is quite literally the chance of a lifetime. If you miss out, you'll probably never be able to make 30x on your money so fast again.

Ten grand into QSMG today will turn into a quarter million bucks by Thursday.


***
King Regards,
Arlene Sanders

UPDATE 10

It turns out that the last one wasn't the last one! You might even think that they are lying. And wait.. QSMG doesn't stand for Quest Science Management Gate at all, does it?

From:    Jeanne David
Date:    24 April 2017 at 16:30
Subject:    I have a tip to share with you

In less than 2 days, this stock will go up 20 times overnight.


I've done a lot for you over the years and you've made an insane amount of profits listening to me.

Today and tomorrow is your last chance to seize the opportunity before it disappears.

My good friend who works at a firm I will not mention in upstate NY told me that a big takeover is about to happen.

A little American biopharma company discovered a new treatment for cancerous tumors and one of the biggest companies (starts with a P) is going to announce the official takeover on Wednesday (in 2 days).

The price at which this will happen more than 20 times what their stock is trading at now. Literally at 23 bucks a share from a current 80 cents.

Write this symbol down, it's the first letter of each word: Quest Science Management Gate that's q followed by s then m and g

This is the 4 letter symbol you need to tell your broker you want to buy, or just type it in yourself in your brokerage.

I hope you're ready to make it big. I expect a big thank you and an invite for steak this weekend.




---
Best Regards,
Jeanne David

UPDATE 11

This spam mentions "Wednesday night" as being when this nonexistant takeover of this crappy stock will take place. Will the spam stop then?

From:    Patsy Sandoval
Date:    25 April 2017 at 09:24
Subject:    By tomorrow evening this stock will be twenty times higher

Did you read my urgent email yesterday?

I outlined very specifically a game plan for you to make more than 20 times on your principle within the next 48 hours.

Let me hit you with the gravy and leave out all the boring details… there's a friend of mine who works at a top 50 firm upstate and he was privy to details of a take over.

In a nutshell there is a very large pharmaceutical company (its name starts with a P) who is finalizing the acquisition of a small public corporation that is currently trading at around 80 cents.

The take over price will be a little over 20 bucks and the official announcement is coming tomorrow night (wed night).

They're paying this much for it because of a novel stem cell treatment which eradicates cancer.

I don't need to tell you what will happen to the share price when this announcement hits the news outlets.

The company's trading symbol is Q as in Quest, S as in Sam, M as in Mother, G as in Great.

These are the 4 letters you need to type into your brokerage account to buy the stock or give to your broker over the phone.

Just ten thousand bucks into this will turn into over two hundred grand by Thursday morning.

You need to act quickly though because it seems I may not be the only one with this information, as I am seeing the price creep up a little already since Monday.



-----
Best Regards,
Patsy Sandoval 
UPDATE 12

This one claims QSMG's "share price is going through the stratosphere". Umm no, it's just bouncing around in the somewhat volatile pumped range that it has been in all week. In my opinion the true value is probably rather closer to $0.00.



From:    Dante Odonnell
Date:    25 April 2017 at 15:54
Subject:    This company's being acquired tomorrow

Its share price is going through the stratosphere.



The cat might be out of the bag now but there is still a massive opportunity to benefit.

I say that the secret is out because the stock price has gone up two days in a row but the reality is that it must be very few people who know information otherwise it would've gone ten times higher.

In case you missed my message yesterday, here is what is happening.. A big pharma corp is acquiring a minuscule public co and this is happening at a price that is 20 times greater than where it currently is.

This means that if you can put 10 thousand in right now, you will take out 200 grand by Thursday morning.

This info is solid. It comes from an attorney who's a long time friend of mine and who literally saw the acquisition documents with his own eyes.

You must be wondering what the company's trading symbol is, and I will not tease you any longer… it's Q like in Quality, S like in Straight, M like Mary and G like Gold

These four letters together make up the company's ticker and that's what you will need to give to your broker, or type into your online account to purchase the stock.

I highly recommend you do this as quickly as possible because there is no guarantee that the price will remain this low much longer.

I expect it'll continue to rise and rise as the insider information spreads. Nonetheless the potential to benefit is absolutely gigantic here.




-----
Best Regards,
Dante Odonnell
UPDATE 13

If you believe the lies this spam is pushing, QSMG are going to be the subject of a takeover bid by Pfizer today. Obviously this is crap, but the spam still keeps trying to pump the share price up nevertheless.

From:    Reba Sykes
Date:    26 April 2017 at 07:28
Subject:    Your chance to make an amazing move is quickly slipping away

There is reason for excitement. A good friend of mine who works at a high place which I will not name told me about a crazy opportunity...

There is an acquisition about to be completed by a very large company.

They're buying out a small medical firm at more than 20 times what it's currently trading at.

This means that every ten thousand bucks you put in will turn into two hundred grand the moment the announcement becomes public.

The symbol for this company is the first letter of each of the following words: Quick, Should, Must, Get.

These 4 letters are what you must type in to your brokerage account or tell your broker in order to get the shares.

I really, really recommend you move on it quickly because the announcement will become public at any day now and this may be your last chance to get in before it's too late.


-------
Best Wishes,
Reba Sykes
UPDATE 15

This one (the 16th version) says (amongst other crap) "This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right." Funny I don't remember that particular investment. 'Cos it didn't happen.

From:    Jeromy Humphrey
Date:    26 April 2017 at 14:42
Subject:    This is your opportunity to get a 20 bagger in the market very fast

One of my closest buddies, who happens to be a banker, let me in on a little tip earlier on.

There's this really awesome small bio technology firm which has discovered something ground breaking,

and because of this unprecedented discovery they're about to be bought out for a little over 20 times their current value.

One of the most prominent large firms in America is about to make this news public.

When that happens, the small company's stock is going to virtually go up more than twenty three fold overnight.

Let me put this in perspective for you. It means that every 10 thousand bucks you put in this will turn into almost a quarter million when the news is out.

This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right.

So before I forget, here is the stock symbol.. It's the 1st letter of each of the following words: Quickly Super Mouse Green

I'm giving it to you in “code” in order to avoid potentially prying eyes, in case you are at the office, a cafe or something.

So with the first letter of each of these words, you've got your four letter symbol.

Input this in your online account to buy the stock or call your broker and give it to him and he will make the purchase for you.

One last thing, I don't know if I am the only one who knows this information so it's possible that the price will go up on other people buying,

but nonetheless if you can get in at under a buck twenty, I really recommend you jump on it as soon as physically possible.



--
Best Wishes,
Jeromy Humphrey

UPDATE 16

After a week or so of being quiet, the QSMG spam has started again. No mention of course of the non-existant takeover last week, but somebody somewhere must feel the need to pump up that stock price once more. The stock value has almost halved in a week. Oddly, QSMG's latest press release makes no mention of this stock manipulation.. now would be a good time to do so.



From: Ron Manning
Subject: Here's a life changing tip that will guide you through trump's America
Date: Tue, 02 May 2017 13:12:49 +0530

Given the current political climate, there are very few certain things in this world.

I can tell you first hand that I've had a hard time profiting in the market since Trump's administration came in a few months ago.

So I've looked long and hard for opportunities to leverage this unusual situation we find ourselves in here in America, and I have found the way.

Special circumstances call for special measures, and a friend of mine reached out to me over the weekend telling me that there's a small company on the verge of being bought out by a top 500 firm.

The price at which this will happen? 21 bucks a share from a current paltry 60 cents.

This means that every ten thousand of stock you buy, you'll make around 350k when the announcement comes out to the public in a few days.

Why am I telling you this? I want like-minded people to benefit as well and I'm tired of all the big shots making the big bucks.

Take it the way you will, but watch symbol : Quick Sure Mary Garage (use the first letters of each word to make up your 4 letter symbol which you'll use to buy the stock)

One way or another, whether you get in or not, this buy out is going to happen and people are going to make 35x on their principle.

Why not get a piece of the action?


***
Best Wishes,
Ron Manning
UPDATE 17

Amazingly, after a month and a half the pump-and-dump spam for QSMG has started again..

From:    Quentin Johnson
Date:    16 June 2017 at 07:33
Subject:    You can make more than ten times your principle with just this 1 stock


It's been at least a few months since the last time I had the chance to share something amazing with you but if you recall you really made a mint on that last company.

Earlier today I got lucky because as I was having a bite with one of my good friends who works at a top banking firm, he let me in on a little "secret".

Basically they're working on closing a deal for a forbes 100 pharmaceutical company to purchase the entirety of a small drug maker that's just completed a cure for prostate tumors.

The company that's being acquired is trading at just a few pennies right now but the big pharma is paying around a buck a share for it.

This means if you grab shares today you'll be able to make at least ten times what you put in.

The symbol which you need to give your broker or put into your brokerage is the first letter of each of these words:

Quick
Sun
Main
Goal


Together they make up the 4 letter symbol which you need. Act quickly before other people get wind of this.
Since the spam run started weeks ago, the share price has dropped from $1.70 to just 7.5 cents today.


Basically, the shares have lost 95% of their value since then (and I suspect they are actually worth nothing at all). That's pretty typical for a pump-and-dump promoted stock, but what is unusual with this one is the sheer length of time it has been going on.

UPDATE 18

Yet another stupid pump and dump spam. Funnily enough I don't remember quadrupling my money on an apps company.

From:    Marva Gilliam
Date:    16 June 2017 at 15:20
Subject:    This biotech stock is guaranteed to jump 10x next week

This is going to sound crazy, but you remember last year when I told you to buy the mobile apps company before Sony acquired it and you quadrupled your money in just a few days?

I've got another one of those situations, and the information is just as reliable as last time...

It's from my same friend who works at Goldman up in new york.

This time around though it's a biotechnology company that finally completed human trials on an amazing life saving cancer medicine.

The results are not out yet but this guy told me that a large pharma is already aware of the success of the medicine and they are going to buy them out at a buck a share next week.

The current price of Q S M G (this is the symbol you need to enter in your account to buy)

is just around 10 cents so if you get in quickly you can make a really fast 10x in just a few days.

Thank me later.
UPDATE 19

This spam mentions an upcoming acquisition. It is perhaps just a coincidence that a press release from QSMG claims that some medical company called sanavida.online is being eyed for a takeover. Apropos of nothing, I wonder if that's a cash or stock acquisition?

From:    Alice Bowman
Date:    19 June 2017 at 11:39
Subject:    In less than 5 days this company could yield you a ten bagger

Good morning!

I've been involved in the markets for a few decades now and I'll be the first to tell you that things have never been as uncertain as they are today.

With a new administration heading our country, it's becoming increasingly difficult to get the edge in the markets.

At least, we can always count on lady luck to come in handy when we need her.

A friend of mine founded a small medical company a few years ago and he has been researching a novel way of using the immune system to kill tumors.

After extensive tests and lengthy approval processes, he finally got the green light on this life changing new therapy.

Because of that, a big pharma has put in an offer to buy out the entire company. At essentially 10 times the current trading value.

This guarantees that if you get shares today at under 20 cents each, you will cash out ten times that amount by Friday.

The ticker which you need to use to buy is the first letter of each of these words:

Quest, Start, Mega, Great

Together they make up the 4 letter symbol which you need. Get in as fast as you can before the price jumps.
UPDATE 20

And another one.. what's the betting that the stock won't shoot up tenfold on Friday?

From:    Loretta Head
Date:    19 June 2017 at 17:35
Subject:    Can you really make ten fold on your principal in just a few days?

With today's political climate, it is becoming increasing difficult to find winning stocks.

It's even more difficult to find that once in a blue moon company that you can get in and get a big hit with real quick.

Trump's policies are changing every day and there's no way to know what tomorrow brings to the markets.

That's why I am very fortunate to have stumbled upon a sure bet...

There's a small company that has just discovered a ground breaking medicine for tumors.

Without boring you with details, it's essentially the most effective treatment for cancer right now.

That caught the attention of the big boys and they're buying out this small company for about ten times its current market price.

This is set to occur by Friday. When the news is made public, the price will jump overnight. It's now at just around 0.20.

You do the math. Your upside is big.

The symbol is q.s.m.g

This is what you need to use in order to get shares. Move quick before others find out.

UPDATE 21

I think this passed the ridiculousness threshold some time ago.

From: "Hallie Robles"
Subject: Not sure where to invest? Here's a sure bet.
Date: Tue, 20 Jun 2017 17:33:16 +0600

Our country is going through a strange era. Recent political changes have oddly affected the markets and pretty much most stocks are on over drive right now.

If you have just a few thousand bucks to put into something, picking a winning company is not very easy since everything is so inflated.

I do however know of one that could be life changing. You know, it's a situation like one of those that you only read in the newspaper.

How a guy got really lucky when he put a few thousand in some small company and he made out like a bandit.

Is it just luck though? Or is there more to it than meets the eye?

I have it on good authority that a small medical research company has made a giant breakthrough in getting approval for a rare form of cancer.

Their shares were at over 2 bucks a couple of months ago, but sank to just a few cents when rumors spread that the treatment was ineffective in people.

Those rumors were not false, but they were based on segmented information.

The truth is that the treatment works and the company just got it past government approval.

The news is not public yet, though. At just a few cents a share, you have no downside. You can get in right now at rock bottom and watch it go right back to where it was a few months ago (to over 2 bucks) in a matter of hours once the announcement is out.

The symbol you need to use for the stock is q-s-m-g without the hyphens of course. You just give that to your broker or put it in yourself online in your portal and get in.

Maybe, you too, can make the newspapers for being a "lucky" person but you and I both know the real story.

UPDATE 22

This one tried to make excuses for the fact that QSMG stock has cratered. It's all bullshit of course.

From:    Ben Cain
Date:    20 June 2017 at 15:59
Subject:    This company just found a huge cure and no one knows about it yet!

Did you ever read an article online, or in a magazine praising some so called guru for making a few hundred grand out of just a few thousand by buying just one stock?

These articles are very common and they always make it seem like the guy (or gal) was an expert at this stuff.

I know for a fact that the only way to win in this is to have information that others don't. It's that simple.

If you know that something is going to happen before everyone else does, then you've got the edge.

Just in May, this company I've been watching was trading at a little over 2 bucks alright?

Within days, it got pummeled to just pennies. Apparently, on the incorrect rumor that their new immune  medicine wasn't working.

Now that the dust has settled, it's clear that the information was completely wrong. It just caused a panic, and herd mentality prevailed.

I have an “in” at the company and I know for a fact that not only does this new ground breaking treatment work, but that it just got approved by the f d a.

While this info isn't public yet, once it does become so, you can expect the share price to go right back up to over two dollars. Quite literally overnight. And I am expecting this announcement to come in the next few days.

The symbol you need to buy the stock is q/s/m/g without the / of course. You just give that to your broker or go to your online account and get at least twenty thousand shares.

If you act quickly and get in right now, maybe you'll be one of those cool winner stories people write about in magazines and articles.
UPDATE 23

Another one making excuses for the plumetting share price - "For some odd reasons though, their share price crashed through the floor" - which is nothing to do with them being virtually worthless. Oh no.
From:    Herbert Donovan
Date:    21 June 2017 at 08:18
Subject:    Here's an idea that could make you a small fortune...

Hi [redacted],

I'm not one to just go around and tell my friends random things… If you know me, then you know that I always like to make sure that I know what I'm talking about first.

This is why I waited so long before telling you what is in this email.

One of my closest friends works at a high tech medical firm. They discovered a very successful cure for a certain type of tumor.

For some odd reasons though, their share price crashed through the floor. It went from 2 bucks to like 10 cents over the last few weeks.

My buddy believes that this is due to people being misinformed regarding a new trump policy.

The reality is, the company I'm telling you about right now is about to get f d a approval in the next few weeks and their price is guaranteed to go up more than 15 times its current price.

This is why I think you should take a very close look at q's'm'g (without the apostrophes of course). This is the ticker of the company in question.

If you want something that's practically a sure bet, I recommend you get in this stock today. Even if it's for a modest amount.

You'll be in for a good ride.


Best Regards,
Herbert Donovan
UPDATE 24

More excuses.. and a nice little formatting error at the end.

From:    Ruth Slater
Date:    21 June 2017 at 15:32
Subject:    Let me share with you something that could make you big bucks

I have been around the block. I'm a veteran in this market. I was making my subscribers profits through both Bush, Obama and now Trump.

Back in the Bush Sr. days, I was just an article writer. I wrote for the WS in the Analyst column.

The internet has really changed everything.

Information now travels really fast and is much more accessible to everyone.

I had a lunch meeting with an old colleague a few days ago and he let me in on a little secret.

There's a tiny drug maker that's discovered a spectacular immune medicine. It will change the world and save millions of lives.

The information isn't public yet. In fact, that company was actually about to go bankrupt when the discovery happened. That's why their price dropped from a little over 2 bucks to just 0.10 now.

Long story short, when the news comes out publicly, this thing is going to shoot through the roof.

Based on my decades of experience, I expect it to at least go up 15 to 30 fold in a matter of hours.

The information will be public some time by next week. I recommend you grab shares quickly today if you can.

The symbol you need to use to get the shares is q>s>m>g obviously without the > I put that in there just to make it clearer.

If you miss out, this is on you. It's a rare chance that may never come again.
</html
UPDATE 25

After more that a month, this stupid pump and dump spam starts again. This is the twenty-sixth spam run that I have seen for this stock, although there could be more..

From:    Trina Guerra
Date:    31 July 2017 at 10:20
Subject:    I guarantee that this company will quadruple before Friday. Check it out

Did you know that markets are at an all time high?

Even non traditional places to stash some savings like bitcoin are out of control at an all time high.

Given that, it's so hard to make any serious scratch these days. Most things are overinflated and offer very little upside.

That's why I was super relieved when I stumbled upon a small medical company that's so undervalued I couldn't believe my eyes.

They just announced the results of trials which were extremely positive and I believe that the share value is poised to quadruple by this Friday.

At this time it's trading at an all time low of just five cents... It literally has no where to go but up.

I am going to grab a nice position this morning, and in your place, I'd seriously consider getting in today before the masses find out what's happening and the price shoots up.

The ticker is.  q s m g

Check it out now, you'll be glad you got in at under ten cents. You should also tell all your friends about this. I am expecting it to double today.

UPDATE 26

"I won't waste your time with nonsense" it says..

From:    Dominique Pugh
Date:    31 July 2017 at 15:22
Subject:    This stock is gonna go up 4 fold before the end of the week.

I won't waste your time with nonsense. I'll get right to it...

One of my best friends who happens to be employed at the largest firm in new york told me that I should really consider buying a specific stock today.

Without going into specifics he told me that it's going to at least quadruple in price this week.

It's a small company that's basically trading at rock bottom prices, and after digging a bit more into it I think that they are about to make a really massive announcement any day now.

If you can get in at between 7 and 10 cents in the next few minutes I really recommend you jump on it quickly. It's trading under the symbol q,s,m,g (just the letters without the commas). Type this in your account to buy it.

Don't waste any more time because before the day is over I think it will be much, much higher so now is your chance.


Best Wishes,
Dominique Pugh


Monday, 19 December 2016

Malware spam: "Payslip for the month Dec 2016." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    PATRICA GROVES
Date:    19 December 2016 at 10:12
Subject:    Payslip for the month Dec 2016.

Dear customer,

We are sending your payslip for the month Dec 2016 as an attachment with this mail.

Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.

This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.

According to my usual reliable source, the various versions of this download a component from one of the following locations:

023pc.cn/8hrnv3
aguamineralsantacruz.com.br/8hrnv3
allard-g.be/8hrnv3
as-kanal-rohrreinigung.de/8hrnv3
aspecta-aso.net/8hrnv3
audehd.com/8hrnv3
audreyetsteve.fr/8hrnv3
baugildealtmark.de/8hrnv3
berstetaler.de/8hrnv3
birdhausdesign.com/8hrnv3
bperes.com.br/8hrnv3
brainfreezeapp.com/8hrnv3
delreywindows.com/8hrnv3
democracyandsecurity.org/8hrnv3
factoryfreeapparel.com/8hrnv3
garosero5.com/8hrnv3
globaser3000.com/8hrnv3
grafiquesvaros.com/8hrnv3
routerpanyoso.50webs.com/8hrnv3
skyers.awardspace.com/8hrnv3
www.andmax-rehabilitacja.pl/8hrnv3
www.bandhiga.com/8hrnv3
www.clinicafisiosan.com/8hrnv3
www.de-klinker.be/8hrnv3
www.foyerstg.pro/8hrnv3
www.globalchristiantrust.com/8hrnv3
www.neumayr-alkoven.com/8hrnv3
zimbabweaids.awardspace.com/8hrnv3

The malware then phones home to one of the following locations:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
193.201.225.124/checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76/checkupdate (SmartApe, Russia)
46.148.26.82/checkupdate (Infium, Latvia / Ukraine)


A DLL is dropped with a detection rate of 12/52.

Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82



Thursday, 15 December 2016

Malware spam: "Payment Processing Problem" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Juliet Langley
Date:    15 December 2016 at 23:17
Subject:    Payment Processing Problem

Dear [redacted],

We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.


-
King Regards,
Juliet Langley

The name of the sender will vary, as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js.

My trusted source says that the scripts download a component from one of the following locations:

028cdxyk.com/mltxgc1
1688daigou.com/csuix
2lazy4u.de/ca4yq
adv-tech.ru/7p1jia
allan.multimediedesignerskive.dk/pohtr8mwl
amaniinitiative.org/ubaupn
artcoredesign.com/9ihg6by
atelier-coccolino.com/cvpphnaf7o
auto-zakaz.com.ua/phwcg
bantiki.me/hzzgidch
bikebrowse.com/qap3je2
blueprint-dsg.com/dtr22
bvntech.com/amrwwxei
chonamyoung.com/9vsdld
cprsim.com/h9o3msx
dealspari.com/r2jvx5h6kc
demo.ahost5.ru/dhvzqqbo
demo.pornuha4you.com/lba7ajvti
deutsch.awardspace.info/0zetkhmp
dicksmacker.com/qq4ctnrgc
dryerventexpress.com/pnpafot9g
elevationmusic.de/6gcg6
e-studiz.com/hn0hl7i
formatwerbung.de/axxlilgd
gieslerdavies.com/cjhwnit
goldenarms.myjino.ru/3wn40qkg
gwerucity.org.zw/a3fsqhu9od
happyfeet.de/7rebctpqn5
hho68.com/hbowe
honestflooring.com/85i95u6vd
houssiere.daniel.formations-web.alsace/npqddd8b
infinitecorp.ca/to7jp7
kawagebook.com/5cbwdd5hap
kayamuh.sarf.com.tr/nou0chc
ledticket.com/pbmcdnx5rj
lucapotenziani.com/zjtguxf
mainlinecarriers.co.tz/ycj7o
martawyczynska.com/ilfvn
mbdvacations.com/ou8kkem
movewithgrace.ca/r8omwc
obccllc.com/tze5um3hh
old.strommarnas.se/yazezuw7og
seven-cards.com/xe2llygi
spikaflora.ru/zyubd6mlb
store.elixe.net/jltuvjpcsh
test1.zrise.top/isk90e
testlife.ruyigou.com/pv2ryezg7
theexcelconsultant.com/vp9u7tpa
thezenatwork.com/yd2c49vg0
topstoneisland.com/ud4jqd
tunca.bel.tr/uo3jnqkgxn
ustadhanif.com/q0w93lkrvp
www.boldrini.org.br/csneth51
www.chocolaterie-servant.com/1l38y2p
www.englishworld.it/w6ynmr
www.kottalgenealogy.com/vkwf5rll0s
www.sapol.it/ou8e1ftep
zapotech.com/sqagj4
zhongguanjiaoshi.com/mklu7

The malware then phones home to the following locations:

185.129.148.56/checkupdate (MWTV, Latvia)
178.209.51.223/checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119/checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)


Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.


-
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

0668.com/k5bhgn
250sb.com./jynvmx
addwords.com.tr/aah6qmhv
anti-dust.ru/7k6cp
asdream.pl/gbbs1c
atio.li/exjik
bappeda.dharmasrayakab.go.id/dlhalychp
braindouble.com/uycx51ix
buhoutserts.ru/ufdazc6vv
casino-okinawa.com/ejguf
catherineduret.ch/5qpqi5ezp
chinaxw.org/xw1ju7y6zc
chungcuvinhomemydinh.com/6dvjasf
crolic88.myjino.ru/1ddig
demo.shispare.com/bvsjq
environment.ae/0od5hn
forbrent.com/h9kqgq
fyd123.cn/kib6h2d9ga
groupeelectrogeneservice.com/eefpeywf9z
hedefosgb.com/dpyzsb6u
hlonline.kentucky.com/i7z78
innercityarts.squaremdesign.com/dyo1w7
jianhu365.com/z9puqdj2eu
malamut.org/gizb2zq
obaloco.com.br/67mfj
peopleprofit.in/pyihdg
roman64.humlak.cz/7bnisgf
rulebraker.ru/zsw4cnf9o
scaune.qmagazin.ro/5hktu4h
slankmethode.nl/4zzq1am
subys.com/mjguriv80
szwanrong.com/x5qxzpjsi
tecnomundo.uy/a8rnlgzv
test1.giaiphaponline.org/0ytdjs1
test.sousouyo.com/feaetpnuee
theamericanwake.com/xw1ju7y6zc
travelinsider.com.au/mwaefb4b
trietlong.net/heyus
tx318.com/kqe4ca
ucbus.net/usdxqqt6
u-niwon.com/kmjg6j9ske
vaaren.dk/ogcz6ys0d
viscarci.com/wyqs6353
walkonwheels.net.au/qmd1uu
wdcd999.com/lm5z2snyqn
web-shuttle.in/eeo9oc
windshieldrepairvancouver.ca/qcp8k7
wiselysoft.com/qcymgbug7
wszystkodokuchni.pl/sl5yko7
wudiai.com/mc3hnwd
www.espansioneimmobiliare.com/akktnck
www.myboatplans.net/6d7ukeco6
wx.utaidu.com/1eybujbru
xlr8services.com/n970foumf
xn--k1affefe.xn--p1ai/8wzzjk24u
youspeak.pt/liowrtxs
yukngobrol.com/h7sfu
zhiyuw.com/qfbdcvrul
zwljfc.com/ld1pvjozu
zzzort10xtest123.com/nin5k3bwo

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

86.110.117.155/checkupdate (Rustelekom, Russia)
185.129.148.56/checkupdate (MWTV, Latvia)
185.17.120.166/checkupdate (Rustelekom, Russia)


MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166


Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)


It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)


Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24


Wednesday, 23 November 2016

Malware spam "Please Pay Attention" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Please Pay Attention
From:     Bill Rivera
Date:     Wednesday, 23 November 2016, 9:45

Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.

This particular script (and there will be others) downloads a malicious component from one of the following locations:

nielsredeker.nl/gmcoirnrm
gurlfanam.net/krwjx
vedicmotet.com/61y7mljr4
praam.cz/iessl
nightpeople.co.il/xklqq33nr

According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.

The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:

95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
195.123.209.8/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
213.32.66.16/information.cgi (OVH, France)


Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16

Tuesday, 8 November 2016

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000
The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q


There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181



Monday, 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday, 6 October 2016

Malware spam: "Your Order" and the inevitable Locky

This fake financial spam leads to Locky ransomware:

From:    Adrian Salinas
Date:    6 October 2016 at 10:13
Subject:    Your Order

Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js

According to my source, these various scripts then download a component from one of the following locations:

activexsearch.com/yggv8
allinfo.xyz.com/zzi5zq2
aquatixbottle.com/yqr8i
askmeproperties.com/xc3db
asknaija.com/wvv5yh
atstory.com/zm2uojf
autokover.ru/z2oc4
b2c-batteries.com/hcgc64j
badimalik.com/dzqzl
bantayan.net/z3z3cc
baomoji.com/y6amo
betwer.com/t21j21t
booltom.com/19abb0h0
booltom.com/5nqlax
booltom.com/7dp0k
booltom.com/8qm9ldj
dipsite.com/r4f2wug
distribuidorabmk.com/wuv2rw
dvdworldmagazine.com/ptibu73
escolaemacao.com/rksgyuj
facerecognition.com.ba/cffdw
feuduprid.com/1xrdgx1j
feuduprid.com/6cpar
feuduprid.com/7sv4ygr9
feuduprid.com/aohsi
fifieoho.com/10a74fd
fifieoho.com/4u29v4
fifieoho.com/74uf3
fifieoho.com/8gplb
hdyzzs.com/qis3lqzw
kristiantouborg.com/trdmz3c
kronosmd.com/oqyxt
kuzeydogalgaz.com/gspiqv
laisou8.com/c4ecj8n
mayrice.net/07il79
mayrice.net/3w7eqv5
mayrice.net/6zok4n
mayrice.net/7uh0f
mgrshs.com/arabn
mmpang.com/h71zo4
mplaylist.com/mw921
nbjzpx.com/n9ih0k
net2008.com/mx93j63z
njykvalve.com/crk5x
numberoneenglish.com/b2v8x8
ofertacar.com/lzdp0id1
oguzhannakliyat.net/nhl290
onji.org/hox0lh
optimize4youseo.com/il9e7
oualili.org/kys133ec
ougelook.com/f7fr3
ozgurbasin.net/ceo09c
pandalove.ru/meft1bs5
peskara.com/n01afb
phaseiv.org/b0uo1
pioneerschina.com/xwks4
pmofmichigan.com/p1inbvn
prettymeuk.com/btvcc
print800.com/p3tw0nst
pro-units.ru/e8uosl
rbwm.ru/wvz996u
relishyomama.org/ebugjjni
sanalgelisim.com/pdjrz8w6
sccxtx.com/gdywsb9
sellflash.com/pjphz
sladetahil.com/1oiyflq
sladetahil.com/6763jdl
sladetahil.com/7fedf3f
sladetahil.com/99f2zg
speakrz.com/oa7ev
tbcthebillingcompany.com/u8uq8t5g
test1.unihost.link/rhh8saz
test.personne.ru/h3x2h682
vudie.com/uco3h8o
westpommern.com/ha0jaeo
winterferienhaus.com/sqfjn29
woodmode-eg.com/o47tu
yepi-games.net/wpp6wl0
zakscott.com/obg7n
zhiwuba.com/ogtkhy

The malware then phones home to the following IPs (belonging pretty much to the usual suspects):

46.8.44.105/apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76/apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21/apache_handler.php (TheFirst-RU, Russia)
217.12.223.78/apache_handler.php (ITL, Ukraine)
46.183.221.134/apache_handler.php (Dataclub, Latvia)

It attempts to contact the following domains, none of which were resolving for me:

vrqhyhyhfoqtetjj.su/apache_handler.php
aukahiofk.click/apache_handler.php
mbjyucltybuujwrec.pl/apache_handler.php
odktufycxibodtlgc.xyz/apache_handler.php
oglvsqvesshcq.work/apache_handler.php
tfgyuhlggusls.ru/apache_handler.php
senawhlqiyl.biz/apache_handler.php
gsrhrrx.su/apache_handler.php
sodugmdutpwo.click/apache_handler.php
ibmwyjowwkvquhftq.info/apache_handler.php
knsyllstwjfv.org/apache_handler.php
pxeuwhmghsnffbn.info/apache_handler.php

Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78


Thursday, 18 August 2016

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb
Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7


This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183






Monday, 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197